Hackers are using the fallout from the recent CrowdStrike incident to target people looking for a solution with malware, and experts have warned that some are being quite creative in their campaigns, as at first glance it seems as if they are actually helping to fix the problem.
Crowdstrike says it observed a phishing campaign, in which the criminals share a document called 'New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm', Computer beeping reports.
Upon opening it, the document displays a copy of a Microsoft support bulletin that instructs the reader on how to use Microsoft's new recovery tool, which should automatically remove the faulty CrowdStrike driver from the Windows PC.
Infected with Daolpu
However, the document is also packed with macros that ultimately serve to steal information. A macro is a Microsoft Office feature that helps automate repetitive tasks. Over the years, it has been abused to distribute malware to such an extent that Microsoft has basically removed the feature.
In this case, however, the criminals are still using macros to install an information stealer called Daolpu. This malware steals account credentials, browser history, and authentication cookies stored in Chrome, Edge, and Firefox. It also steals information stored in Cốc Cốc, a popular web browser in Vietnam, which Computer beeping The arguments could indicate the origin of the threat actor, or at least its location.
CrowdStrike released a flawed update that bricked many Windows PCs around the world and forced them to boot into an infinite loop. As a result, many major organizations, including banks, airlines, and TV stations, were unable to operate.
Unsurprisingly, this event brought cybercriminals out of their homes, using it as an opportunity to compromise devices, steal sensitive information, and possibly money as well.
The US Cybersecurity and Infrastructure Security Agency (CISA) also warned of an ongoing phishing campaign, urging users to “avoid clicking on phishing emails or suspicious links.”
CISA says it has already observed multiple campaigns in which criminals impersonated CrowdStrike or presented themselves as IT professionals capable of quickly fixing the problem. In at least one of those emails, the scammers asked for cryptocurrency in exchange for a solution.
A separate warning from AnyRun highlighted a malware campaign targeting BBVA bank customers that offered a fake CrowdStrike Hotfix update that actually installs the Remcos remote access tool (RAT).